The present invention is directed to intrusion detection for a computer-based system and, more particularly, to a network security system protecting a network from disclosure of information in response to maleficent message.
Computer networks provide connectivity between and among computer resources connected to the network and, typically, remote networks and devices. A private network may support computer resources at a single location, e.g., a local area network (LAN) or at multiple locations, e.g., a wide area network (WAN.) The network infrastructure may include one or more routers for directing messages between and among computer resources connected to the network, while gateways and/or bridges connect the LAN or WAN to other, typically remote networks. Often, the connection to remote networks is provided using open or public communications network facilities such as the ubiquitous Internet.
Once a private network is connected to an open network or otherwise provides open access to the network, security of the private network becomes a paramount concern. Typically, some form of xe2x80x9cfirewallxe2x80x9d is required, i.e., a system that restricts access between a protected network and the Internet, or between other sets of networks. The firewall may be implemented using one or more systems including, for example, a screening router, dual homes and screen-host gateway, a screened-subnet, and an application-level gateway (or proxy server.) Those skilled in the art of network security systems use these and other components and systems to restrict access to a protected network.
While certain components and systems provide some level of protection, there is increasing need for more sophisticated systems to help maintain network security. A network intrusion detection system (NIDS) provides capabilities to identify and respond to malicious or anomalous activities aimed at networked systems. Commercial products include AXENT(copyright) by Axent Technologies, Inc. (www.axent.com), Cisco(copyright) by Cisco Technology, Inc. (www.cisco.com), CyberSafe(copyright) by Cybersafe corporation (www.cybersafe.com), Safesuite(copyright) by Internet Security System, Inc. (ISS) (www.iss.net), and Shadow(copyright) (www.nswc.navy.mil/ISSEC/CID).
Further examples of network security systems are described in U.S. Pat. No. 5,414,833 of Hershey, et al. entitled xe2x80x9cNetwork Security System And Method Using A Parallel Finite State Machine Adaptive Active Monitor And Responderxe2x80x9d issued May 9, 1995; U.S. Pat. No. 5,557,742 of Smaha, et al. entitled xe2x80x9cMethod And System For Detecting Intrusion Into And Misuse Of A Data Processing Systemxe2x80x9d issued Sep. 17, 1996; U.S. Pat. No. 5,720,033 of Deo entitled xe2x80x9cSecurity Platform And Method Using Object Oriented Rules For Computer-Based Systems Using UNIX-Line Operating Systemsxe2x80x9d issued Feb. 17, 1998; U.S. Pat. No. 5,892,903 of Klaus entitled xe2x80x9cMethod And Apparatus For Detecting And Identifying Security Vulnerabilities In An Open Network Computer Communication Systemxe2x80x9d issued Apr. 6, 1999; and U.S. Pat. No. 6,279,113 of Vaidya entitled xe2x80x9cDynamic Signature Inspection-Based Network Intrusion Detectionxe2x80x9d issued Aug. 21, 2001.
While these security systems inspect data packets and messages to identify attempts to gain unauthorized access to a network, processing upon detection of a network intrusion may not foil the attempt. In particular, prior art systems are divided into passive and reactive types. Passive systems monitor network traffic and generate notifications and reports that can be reviewed by security personnel. Reactive implementations perform all the functions of their passive counterparts but can also take immediate action to deny access to network resources. Most reactive NIDS systems are host based, the few network based implementations are bound to specific network hardware, specific network topologies, and work by completely filtering the offending party. Since the hosts appear unreachable to the attacker, reporting within the protected network is lost.
Accordingly, a need exists for a device and method that protects a network from externally launched attacks while tracking and reporting such events. A further need exists for a device and method of providing network security protection and reporting that is compatible with a wide range of NIDS.
The invention is a system for and method of monitoring traffic inbound to a protected network for any signs of malicious activity. Once an attack is detected, the system acts to prevent the attacker from retrieving any data from its target.
According to one aspect of the invention, a network security system includes a router connected to a protected network, the router configured to selectively route incoming messages to respective destinations on the protected network as addressed by the respective incoming messages. A network intrusion detection system (NIDS) connected to the protected network operates to detect any attack on the protected network associated with one or more of the incoming messages. A control system on the network operates to cause the router to selectively redirect a reply message associated with the one incoming message to an alternate terminus on the protected network in response to the NIDS detecting the attack (i.e., an offending message).
According to a feature of the invention, a GateD server is connected to the protected network wherein the reply message associated with the offending incoming message is initially addressed to an offending off-network IP address associated with the incoming message prior to rerouting by the router. In this case, the GateD server stores (i) the offending IP address associated with the incoming message and (ii) a static route pointing the offending LP address to the alternate terminus on the protected network.
According to another feature of the invention, the control system may further include a routing server storing a routing table. The routing server may include a GateD server.
According to another feature of the invention, the control system may be configured to execute a network routing daemon that understands a plurality of protocols including at least one or more of BGP, EGP, RIP, RIP II, OSPF, and HELLO. In this case, the NIDS may be configured to monitor the incoming messages to detect predetermined patterns of TCP/IP activity indicative of the attack on the protected network.
According to another feature of the invention, the NIDS may be configured to monitor packet headers of the incoming messages to detect probes.
According to another feature of the invention, the NIDS may be configured to monitor the incoming messages to detect one of:
(i) a network resource anomaly including activity that is different from a predetermined normal behavior; and
(ii) a network resource misuse including activity corresponding to known intrusion techniques, a known intrusion signature, and/or known system vulnerabilities.
According to another feature of the invention, the NIDS may be configured to notify the control system of detecting the attack via a (i) system log (syslog) and/or (ii) Simple Network Management Protocol (snmp) trap.
According to another feature of the invention, the NIDS may be configured to mirror ports addressable corresponding to the destinations on the protected network.
According to another feature of the invention, the router may include a routing table, the control system configured to introduce to the router a preferred route into the routing table. The preferred route is effective to selectively redirect the reply message to the alternate terminus on the protected network. The alternate terminus on the protected network may be a system configured to analyze the reply message to identify network vulnerabilities of the protected network.
According to another feature of the invention, the control system may be configured to put an Exterior Gateway Protocol (EGP) neighbor corresponding to a destination of the reply message into a down state and generate a corresponding egpNeighborLoss trap.
According to another feature of the invention, the control system may redirect the reply message to the NIDS. The NIDS may then operate to analyze the reply message to identify network vulnerabilities.
According to another aspect of the invention, a network security system includes a protected network configured to route a message between (i) a plurality of network nodes and (ii) at least one external node. A router connected to the network receives the incoming message from the external node and selectively route it to the addressed network node. A NIDS monitors the incoming message to the protected network and provides an indication of an attempt to gain unauthorized access to the protected network. A control system is responsive to an attack so as to cause the router to selectively redirect to a one of the network node on the protected network a reply message associated with the incoming message in response to the NIDS detecting the attack.
According to another aspect of the invention, a method of operating a network security system includes a step of selectively routing a message incoming to respective destinations on a protected network. A step of detecting an attack on the protected network associated with one of the incoming messages initiates a selective redirection of a reply message associated with the associated incoming message to a destination on the protected network (instead of to the external address) in response to the step of detecting the attack.
Additional objects, advantages and novel features of the invention will be set forth in part in the description which follows, and in part will become apparent to those skilled in the art upon examination of the following or may be learned by practice of the invention. The objects and advantages of the invention may be realized and attained by means of the instrumentalities and combinations particularly pointed out in the appended claims.